Industrial control systems, such as in factories, electrical power plants, refineries, water treatment facilities, other utilities and elsewhere, and other types of control systems, may be vulnerable to cyber-attack in both known and unknown ways. Also, such systems may fail in both known and unknown ways. Utilities are investing an increasing portion of their budgets in improving the security of their networks. The potential impact of a cyber-attack against critical infrastructures such as the power grid is enormous, and governments are encouraging an increase to the current relatively low level of security of these industrial control systems. Reliance on network isolation, used as a primary method of defense by utilities worldwide, was proven to be ineffective and erroneous as confirmed by the Stuxnet attack. While protection products targeted to a particular protocol may be effective in systems using that protocol, the vast numbers of closed, embedded systems using programmable logic controllers and other types of controllers are left unprotected. Yet, access to individual industrial control system (ICS) devices, even for protection purposes, is often difficult. Many vendors prevent operators from installing additional software on hosts, which would void warranties. In addition, many vendors have implemented proprietary extensions to standard protocols for industrial control systems, which offer additional functionalities, but which are nonstandard. Some industrial control system security products work at the network level by implementing parsers for common industrial control system protocols, but these do not necessarily function well for protocols that have been modified with proprietary extensions as above. Since many operators choose to leverage the proprietary extensions, leading to the presence of undocumented interactions in the network that are not easily taken into account, the protection of such environments is suboptimal. Industrial control systems may include controllers having protocols for which there is not yet available a security product. Data diodes, which allow data to flow into an industrial control system but prevent information from leaving the system, are limited in the amount of protection they provide. Knowledge-based intrusion detection can attempt to identify threat vectors by means of specification of their characteristic behavior, but is vulnerable to sophisticated attacks leveraging zero-day exploits to evade detection. Anomaly detection is a promising venue to address the protection of these environments. However, the need to parse and understand network exchanges severely limits its ability to cope with the diversity of configurations in many industrial control systems. Therefore, there is a need in the art for a solution which overcomes the drawbacks described above.